cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Talk standards to me... Oauth 2.1 draft released

We have a new IETF draft for OAuth v2.1, Authorization Framework. It's not radically different from 2.0, but does have the latest security best practices built-in by design. Aaron Parecki had a great blog post explaining the rationale behind the update.

 

The main changes for your dev teams to be aware of are:

 

  • Proof Key for Code Exchange (PKCE) is now required for authorization code grant.
  • Exact matching is required for redirect URIs.
  • Refresh tokens are now sender-constrained or one-time use only.
  • Implicit grant and Resource Owner Password Credentials grant have been removed.
  • Bearer tokens in query parameters are no longer allowed.

 

Image by Aaron Parecki.Image by Aaron Parecki.